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ABSTRACT 



An elliptic curve encryption system represents coordinates 
of a point on the curve as a vector of binary digits in a 
normal basis representation in F 2 «. A key is generated from 
multiple additions of one or more points in a finite field. 
Inverses of values are computed using a finite field multi- 
plier and successive exponentiations. A key is represented as 
the coordinates of a point on the curve and key transfer may 
be accomplished with the transmission of only one coordi- 
nate and identifying information of the second. An encryp- 
tion protocol using one of the coordinates and a further 
function of that coordinate is also described. 

52 Claims, 5 Drawing Sheets 
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ELLIPTIC CURVE ENCRYPTION SYSTEMS variety of applications, and one of its extensions forms the 

basis for a proposed U.S. digital signature standard (DSS). 

This is a continuation of PCT/CA95/00452, filed on Jul. Although the discrete logarithm problem, as first employed 

31, 1995, which is a continuation-in-part of Ser. No. 08/282, by Diffic and Hcllman in their public key exchange 

263, filed on Jul. 29, 1994, now abandoned. 5 algorithm, referred explicitly to the problem of finding 

logarithms with respect to a primitive element in the mul- 

FIELD OF THE INVENTION tiplicative group of the field of integers modulo a prime p, 

The present invention relates to public key cryptography. tnis idea ca " be extended to arbitrary groups (with the 

The increasing use and sophistication of data transmission difficult y °[ the P robleni apparently varying with the repre- 

in such fields as telecommunications, networking, cellular 10 senlatl0n °£ * he gr°"P)- 

communication, wireless communications, "smart card" The discrete logarithm problem assumes that G is a finite 

applications, audio-visual and video communications has 6 rou P> and a and b are elements of C. Then the discrete 

led to an increasing need for systems that permit data logarithm problem for G is to determine a value x (when it 

encryption, authentication and verification. exists) such that a*«b. The value for x is called a logarithm 

It is well known that data can be encrypted by utilizing a 15 of b 10 the base of and * denoted b * lo *> 

pair of keys, one of which is public and one of which is The difficulty of determining this quantity depends on the 

private. The keys are mathematically related such that data representation of G. For example, if the abstract cyclic group 

encrypted with the public key may only be decrypted with of order m is represented in the form of the integers modulo 

the private key and conversely, data encrypted with the ™, then the solution to the discrete logarithm problem 

private key can only be decrypted with the public key. In this 20 reduces to the extended Euclidean algorithm, which is 

way, the public key of a recipient may be made available so relatively easy to solve. However, the problem is made much 

that data intended for that recipient may be encrypted with more occult if m+1 is a prime, and the group is represented 

the public key and only decrypted by the recipient's private in the form of the multiplicative group of the finite field 

key, or conversely, encrypted data sent can be verified as *W This is because the computations must be performed 

authentic when decrypted with the sender's public key. 25 according to the special calculations required for operating 

The most well known and accepted public key crypto- in fimte fields> 

systems are those based on integer factorization and discrete !t is also known that by using computations in a finite field 

logarithms in finite groups. In particular, the RSA system for whose members lie on an elliptic curve, that is by defining 

modulus n=p q where p and q are primes, the Diffie-Hellman 30 a group structure G on the solutions of y 2 +xy«x 3 +ax 2 +b 

key exchange and the ElGamal protocol in Z py (p a prime) over a finite field, the problem is again made much more 

have been implemented worldwide. difficult because of the attributes of elliptic curves. 

The RSA encryption scheme, where two primes p and q ™«efore t it is possible to attain an increased level of 

are multiplied to provide a modulus n, is based on the integer ^ cm ^ for • given size of key. Alternatively a reduced key 

factorization problem. The public key e and private key d are 35 mav be t0 maintaui a rec l uired de S ree of secuntv - 

related such that their product e*d equals l(mod <(>) where The inherent security provided by the use of elliptic 

<HP"1) fa" 1 )- A message M is encrypted by exponentiating curves is derived from the characteristic that an addition of 

it with the private key e to the modulus n, [C=M'(mod "n)] two P oints on the curve can be defined as a further point that_ 

and decrypted by exponentiating with the public key mod n its elf lies on tDe curve. Likewise the result of the addition of 

[M-C^mod n)]. 'Phis technique requires the transmission of 40 a point to itself will result in another point on the curve, 

the modulus n and the public key and the security of the Therefore, by selecting a starting point on the curve and 

system is based on the difficulty of factoring a large number multiplying it by an integer, a new point is obtained that lies 

that has no relatively small factors. Accordingly both p and on th e curve. This means that where P~(x,y) is a point on an 

q must be relatively large primes. elliptic curve over a finite field [E(F^)], with x and y each 

One disadvantage of this system is that p and g must be 45 re P resented b V a vector of n elements the ", for ^ oih ™ 

relatively large (at least 512 bits) to attain an adequate level P oinl Re<P> ( lne subgroup generated by P), dP«R. To attack 

of security. With the RSA protocol this results in a 1024 bit such a scheme, the task is to determine an efficient method 

modulus and a 512 bit public key which require significant t0 find an inte g er d > 0^d^(order of P)-l such that dP-R. 

bandwidth and storage capabilities. For this reason research- To break such a scheme, the best algorithms known to date 

ers have looked for public key schemes which reduce the 50 have """"^ times no better than where P 15 the 

size of the public key. Moreover, recent advances in ana- lar & esl P nme dividing the order of the curve (the number of 

lytical techniques and associated algorithms have rendered points on the curve). 

the RSA encryption scheme potentially vulnerable and Thus, in a cryptographic system where the integer d 

accordingly raised concerns about the security of such remains secret, the difficulty of determining d can be 

schemes. This implies that larger primes, and therefore a 55 exploited. 

larger modulus, need to be employed in order to maintain an An ElGamal protocol of key exchange based on elliptic 

acceptable level of security. This in turn increases the curves takes advantage of this characteristic in its definition 

bandwidth and storage requirements for the implementation of private and public keys. Such an ElGamal protocol 

of such a scheme. operates as follows: 

Since the introduction of the concept of public key 60 1. In order to set up the protocol, where a message is to 

cryptography by Diffie and Hellman in 1976, the potential be sent from A to B, an elliptic curve must be selected and 

for the use of the discrete logarithm problem in public key a point P=(x,y), known as the generating point, must be 

cryptosystems has been recognized. In 1985, ElGamal selected, 

described an explicit methodology for using this problem to Encryption 

implement a fully functional public key cryptosystem, 65 2. The receiver, B, then picks a random integer d as his 

including digital signatures. This methodology has been private key. He then computes dP, which is another poinl on 

refined and incorporated with various protocols to meet a the curve, which becomes his public key that is made 
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available to the sender and the public. Although the sender i) The set of all solutions to the equation y 2 +ay=x 3 +bx+c 

knows the value dP, due to the characteristic of elliptic where a,b,ceF^ a*0, together with a special point called the 

curves noted above, he has great difficulty determining the point at infinity O is a supersingular curve over F^. 

private key d. ") Th e set °f a U solutions to the equation y 2 +xy=x 3 + 

3. The sender A, chooses another random integer k, the 5 ax^+b where a^eF^ b*0, together with a special point called 
session seed, and computes another point on the curve, kP the P oim at infinit y 0 * a nonsupersingular curve over F,. 
which serves as a public session key. This also exploits the B y defining an appropriate addition on these points, we 
characteristic of elliptic curves mentioned above. <* tain ? ^ w" 8 u° UP ' add / llo " of ^ wo P° in * 

4. The sender, A, then retrieves the public key dP of and Q(x 2 , y2 ) for the supersingular elliptic curve E 

n j . i jn .i- ■ * .i- « with y +ay«x^+bx+c is given by the following: 

receiver B and computes kdP, another point on the curve, 10 ir n / \ r .u j c 

... , i i . • | p .i . If P=(x 2 ,y2)eE; then define 

which serves as the shared encryption key tor that session. • _p f x v +a) P+0=0+P P for all PeE 

5. The sender, A, then encrypts the message M with the . " j eE ^ Q ,T_p then the oint re p rese nting the 
encry^onkeyto obtam the aphertextC. sum of P + Q, is denoted (x 3 ,y 3 ), where 

6. The sender then sends the public session key kP and Ihe v J ■* 
ciphertext C to the receiver B. 15 

Decryption Xj = l( yiBy2 ) e ^ ®x 2 (P±Q) or 

7. The receiver, B, determines the encryption key kdP by " Xl B * 2 ' 
multiplying his private key d by kP. i x \ 

8. The receiver, B, can then retrieve the message M by * 3 ~[ ~a 2 l/>= ® and 
decrypting the ciphertext C with the encryption key kdP. 20 

During the entire exchange, the private key d and the seed yy = (( yiBy *) {Xl ® X3) eyi ea {P * 0 or 

key k remain secret so that even if an interloper intercepts U*i ©*2 ' 

the session key kP he cannot derive the encryption key kdP [(x 2 ®b\ 

from B's public key dP. y *~\\ ~T~" ( ' 

Elliptic curve cryptosyslems can thus be implemented 25 
employing public and private keys and using the ElGamal 

protocol. The addition of two points PCx^y^ and QCx^y^ for the 

The elliptic curve cryptography method has a number of nonsupersingular elliptic curve y 2 +xy«x 3 +ax 2 +b is given by^ 

benefits. First, each person can define his own elliptic curve me following: 

for encryption and decryption, which gives rise to increased 30 if p^x^yj eE then define -P=(x 1} Vj+xJ. For all PeE, 

security. If the private key security is compromised, the 0+P=P+0=P. If Q=(x 2 ,y 2 ) eE and Q*-P, then P+Q is a point 

elliptic curve can be easily redefined and new public and (x 3 ,y 3 ) where 
private keys can be generated to return to a secure system. 

In addition, to decrypt data encoded with the method, only t. yj ® yi ® y2 

the parameters for the elliptic curve and the session key need 35 *3 = j © ©*i ©*2 ©a (P* Q) or 

be transmitted. 

One of the drawbacks of other public key systems is the =\x*q!L (/>- q) and 

large bandwidth and storage requirements for the public I 1 A 

keys. The implementation of a public key system using <(y\®yi\ 

elliptic curves reduces the bandwidth and storage require- 40 ^ = ^\x l &x 2 r 1 ©^©^ iP*Q) ° r 
ments of the public key system because the parameters can 

be stored in fewer bits. Until now, however, such a scheme y$ = {*f ©u ( © — Jx 3 e*3 (P= Q) 
was considered impractical due to the computational diffi- 
culties involved and the requirement for high speed calcu- 
lations. The computation of kP, dP and kdP used in a key 45 Accordingly it can be seen that computing the sum of two 
exchange protocol require complex calculations due to the points on E requires several multiplications, additions, and 
mathematics involved in adding points in elliptic curve inverses in the underlying field F^. In turn, each of these 
fields. operations requires a sequence of elementary bit operations. 

Computations on an elliptic curve are performed accord- When implementing an ElGamal or Diffie-Hellman 

ing to a well known set of relationships. If K defines any 50 scheme with elliptic curves, one is required to compute 

field, then an equation of the form y 2 +a 1 xy+a 3 y=x 3 +a 2 x 2 + kP=P+P+ . . . +P (P added k times) where k is a positive 

f a 4 x+a 6 , where each of the coefficients a ( - lie in K, defines an integer and PeE. This requires the computation of (x 3 ,y 3 ) to 

elliptic curve over K. If E is the set of points on this curve, be computed k-1 times. Even if alternative techniques such 

then an abelian group can be defined on the set EU{0}, as "double and add" are utilised, it is still necessary to 

where O is a special element not occurring in E. O acts as 55 compute the addition of two points several times, each of 

the zero element of the group. If P=(x,y), then -P«(x,-y) in which requires multiplications, additions and inverses in the 

the case of an odd characteristic, and for two points P and Q underlying finite field. For large values of k which are 

on the curve where Q*±P, the sum P+Q is the third point on typically necessary in cryptographic applications, this has 

the curve where the line joining P and Q again meets the previously been considered impractical for data communi- 

curve. If P«Q, then the tangent line is used. As in any abelian 60 cation. 

group, we use the notation nP to denote P added to itself n It is an object of the present invention to provide a method 

times if n is positive, and -P added to itself |n| times if n is of encryption utilizing elliptic curves that facilitates the 

negative, and 0P«O. computation of additions of points while providing an 

If F^ is a finite field, then elliptic curves over F^ can be adequate level of security in an efficient and effective 

divided into two classes, namely supersingular and non- 65 manner. 

supersingular curves. If is of characteristic 2, i.e. g=2 M , The applicants have developed a method using a modified 

then the classes are defined as follows. version of the Diffie-Hellman and ElGamal protocols 
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defined in the group associated with the points on an elliptic To assist in the appreciation of the implementation of the 

curve over a finite field. The method involves formulating present invention , it is believed that a review of the 

the elliptic curve calculations so as to make elliptic curve underlying principles of finite field operations is appropriate, 

cryptography efficient, practical and viable, and preferably The finite field F 2 is the number system in which the only 

employs the use of finite field processor such as the Com- 5 elements are the binary numbers 0 and 1 and in which the 

putational Method and Apparatus for Finite Field Multipli- rules of addition and multiplication are the following: 

cation as disclosed in U.S. Pat. No. 4,745,568. The preferred 0+0-1+1=0 

method exploits the strengths of such a processor with its 0+1=1+0=1 

computational abilities in finite fields. The inventive method 0x0=1x0=0x1=0 

structures the elliptic curve calculations as finite field mul- 10 1x1=1 

tiplication and exponentiation over the field F^. In the These rules are commonly called modulo-2 arithmetic. All 

preferred method, a normal basis representation of the finite additions specified in logic expressions or by adders in this 

field is selected and the calculations which can readily be application are performed modulo-2 as an XOR operation, 

performed on a finite field processor. Furthermore, multiplication is implemented with logical 

The inventors have recognized that the computations 35 gates, 

necessary to implement the elliptic curve calculations can be ^ nnite field F 2"> where m ^ an integer greater than 1, 

performed efficiently where a finite field of characteristic 2 tne number system in which there are 2 m elements and in 

is chosen. which the rules of addition and multiplication correspond to 

When computing in a field of characteristic 2, i.e. F 2 «, arithmetic modulo an irreducible polynomial of degree m 

squaring is a linear operation, i.e. (A+B) 2 is A 2 +B 2 By 20 with coefficients in F 2 . Although in an abstract sense there is 

adapting appropriate representations, the computation of the for each m on, y one field V 2 m > the complexity of the logic 

squared terms required in the addition of two points is required to perform operations in F 2 - depends strongly on 

greatly simplified. In particular, if a normal basis represen- the Particular way in which the field elements are repre- 

tation is chosen, squaring can be achieved through a cyclic sented - operations may be performed using processors 

shift of the binary vector representing the field element to be 25 implemented in either hardware or software with dedicated 

squared hardware processors generally considered faster. 

Moreover, computing inverses in F 2 « can be implemented ^ conventional approach to operations performed in F 2 « 

with simple shift and XOR operations by selection of an 15 described in such papers as T. Bartee and D. Schneider, 

appropriate representation. In some implementations, the "Computation with Finite Fields", Information and Control, 

computation of an inverse can be arranged to utilize multiple 30 Vo1 - 6 » PP- 79 " 98 » 1963 • In th * conventional approach, one 

squaring operations and thereby improve the efficiency of first chooses a polynomial P(X) of degree m which is 

the computation irreducible over F 2 «, that is, P(X) has binary coefficients but 

When such computations are performed using a normal canno1 be factored into a product of polynomials with binary 

basis representation of the finite field, the inventors have coefficients each of whose degree is less than m. An element 

also recognized that the elliptic curve calculations are fur- 35 A in F 2" fe then defined to be a root of P(X), that is, to satisfy 

ther simplified with the computations presented in this form, P ( A > a ^ fa 0 ct that P ( X ) is irreducible guarantees that the 

the applicants have realized that specialized semiconductor ™ elem ents A =1, A, A , . . . A m of F 2 ™ are linearly 

devices can be fabricated to perform the calculations. With independent over F 2 . 

the calculations presented in such a form, additions in the For the Purposes of illustration the example of F 2 3 will be 

field F 2 ». can be efficiently performed in one clock cycle 40 used Wlth the choice of P(X)=X +X+1 for the irreducible 

utilizing a simple XOR operation. polynomial of degree 3. The next step is to define A as an 

' Multiplications can be performed very efficiently in only element of F 2 3 such that A +A+1=0. The following assign- 

n clock cycles where n is the number of bits being muiti- raen * of umt vectors 15 then mad e: 
plied. Furthermore, squaring can be efficiently performed in 

A°=1=[1,0,0] 

1 clock cycle as a cyclic shift of the bit register. Finally, 45 A 1 =[0,1,0] 

inverses can easily be computed, requiring approximately A 2 =[0,0,1] 

log 2 n multiplications rather than the approximately 2n mul- An arbitrary element B of F 2 , is now represented by the 

tiplications required in other arithmetic systems. binary vector [b 2 , b 3 , b 0 ] with the meaning that B=[b 2 , b lt 

The inventors have also recognized that the bandwidth b 0 ]=b 2 A 2 +b 1 A+b 0 , 

and storage requirements of a cryptographic system utilizing 50 If we represent a second element C=[c 2 , c a , Cq], it follows 

elliptic curves can be significantly reduced where for any that B+C=[b 2 ©c 2 , bjSCj, b 0 ©c 0 ]. 

point P(x,y) on the curve, only the x coordinate and one bit Thus, in the conventional approach, addition in F 2 ? is 

of the y coordinate need be stored and transmitted, since the easily performed by logic that merely forms the modulo-2 

one bit will indicate which of the two possible solutions is sum of the two vectors representing the elements to be 

the second coordinate. 55 summed component-by-component. Multiplication is, 

The inventors have also recognized when using the ElGa- however, considerably more complex to implement, 

mal protocol that messages need not be points on the curve Continuing the example, from the irreducible polynomial 

if the protocol is modified such that the message M is it can be seen that A 3 =A+1 and A"=*A 2 +A where use has 

considered as a pair of field elements MjM 2 and each is been made of the fact that -1=+1 in F(2). In hardware, 

operated on by the coordinates (x a y) of the session encryp- 60 multiplication can be simplified by taking advantage of the 

tion key kdPin a predetermined manner to produce new field special feature of a finite field F 2 « that there always exists a 

elements C 1 C 2 that represent the ciphertext C. The receiver so-called normal basis for the finite field. That is, one can 

can then extract the message M^m^mJ by applying the always find a field element N such that N, N 2 , N 4 . . . N 2 " 1 ' 1 

inverse transformation of the predetermined manner. are a basis for F 2 -. Every field element B can be uniquely 

Although this may require an inverse operation in the field, 65 written as B=b m _ 1 N 2m_3 + . . . +b 2 N 4 +b 1 N 2 +b 0 

they may be performed efficiently in the field F 2 i», and in N=[b m _ 1 , . . . , b 2 ,b lf b 0 ] where b 0 , b 1 ,b 2 , . . . b m-1 are binary 

particular when operating with the processor noted above. digits. 
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For example, in the finite field F 2 3, if we let N«[1,1,0] 
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Then, if B-[b„. Jt . . . ,b 2 ,b lf b 0 ] and C-[c m _ lt . . . .c^,, is 
CjjCq] are any two elements of F 2 « in normal basis 
representation, then the product D=BxO[d m _ r . . ,d 2 ,d i ,d 0 ] 
has the property that the same logic circuitry which when 
applied to the components or binary digits of the vectors 
representing B and C produces d,,,^ will sequentially pro- 2 q 
duce the remaining components d m _ 2 , ■ • • , cl^d^do of the 
product when applied to the components of the successive 
shifts of the vectors representing B and C. 

As illustrated in U.S. Pat. No. 4,745,568 for Computa- 
tional Method and Apparatus for Finite Field Multiplication, 
multiplication may be implemented by storing bit vectors B 25 
and C in respective shift registers and establishing connec- 
tions to respective accumulating cells such that a grouped 
term of each of the expressions d, is generated in respective 
ones of m accumulating cells. By rotating the bit vectors B 
and C in the shift registers and by rotating the contents of the 30 
accumulating cells, each grouped term of a respective binary 
digit d,- is accumulated in successive cells. TTius all of the 
binary digits of the product vector are generated simulta- 
neously in the accumulating cells after one complete rotation 
of the bit vectors B and C. 35 

One attribute of operating such a processor is that in the 
field F 2 «, is that squaring is a linear operation in the sense 
that for every pair of elements B and C in F 2 <», (B+C) 2 =B 2 + 
C 2 . It is the case for every element B of F 2 « that B 2 =B. 

In particular in a normal basis representation, squaring an 4Q 
element involves a cyclic shift of the vectors representation 
of the element, i.e. if B^b m _ lt . . . ,b 2 ,b 3 ,b 0 ] then B 2 =[b m _ 2 . 
. . . ,b 2 , b^bo, b m _ 2 ]. 

Thus when using the processor exemplified above, squar- 
ing may be achieved in one cycle. Moreover, this general 
characteristic of F 2 «, where squaring is a linear operation, 45 
may be exploited in other implementations, such as 
software, where a normal basis representation is not used. 

As noted above, the inventors have taken advantage of the 
efficiency of the mathematical operations in F^ in the 
implementation of an elliptic curve encryption scheme. The 50 
applicants have developed a method of formulating the 
elliptic curve calculations so as to make elliptic curve 
cryptography efficient, practical and viable. The preferred 
method employs the use of a finite field processor such as the 
Computational Method and Apparatus for Finite Field Mul- 55 
tiplication as disclosed in U.S. Pat. No. 4,745,568. The 
method couples the attractive cryptographic characteristics 
of elliptic curves with the strengths of the field processor 
through its computational abilities in finite field F 2 «. The 
inventive method structures the elliptic curve calculations as 6Q 
operations, such as multiplication and exponentiation, over 
the field where F 2 «, which can readily be calculated on a 
finite field processor. 

BRIEF DESCRIPTION OF THE DRAWINGS 

An embodiment of the invention will now be described by 65 
way of example only with reference to the accompanying 
drawings in which: 
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FIG. 1 is a diagram of the transmission of an encrypted 
message from one location to another, 

FIG. 2 is a diagram of an encryption module used with the 
communication system of FIG. 1, 

FIG. 3 is a diagram of a finite field processor used in the 
encryption and decryption module of FIG. 2. 

FIG. 4 is a flow chart showing movement of the elements 
through the processor of FIG. 3 in computing an inverse 
function. 

FIG. 5 is a flow chart showing movement of elements 
through the processor of FIG. 3 to compute the addition of 
two points. 

An embodiment of the invention will first be described 
utilising an ElGamal key exchange protocol and a Galois 
field F 2 i5s to explain the underlying principles. Further 
refinements will then be described. 

SYSTEM COMPONENTS 

Referring therefore to FIG. 1, a message M is to be 
transferred from a transmitter 10 to a receiver 12 through a 
communication channel 14. Each of the transmitters 10 and 
receiver 12 has an encryption/decryption module 16 asso- 
ciated therewith to implement a key exchange protocol and 
an encryption/decryption algorithm. 

The module 16 is shown schematically in FIG. 2 and 
includes an arithmetic unit 20 to perform the computations 
in the key exchange and generation. A private key register 22 
contains a private key, d, generated as a 155 bit data string 
from a random number generator 24, and used to generate a 
public key stored in a public key register 26. A base point 
register 28 contains the coordinates of a base point P that lies 
in the elliptic curve selected with each coordinate (x, y), 
represented as a 155 bit data string. Each of the data strings 
is a vector of binary digits with each digit being the 
coefficient of an element of the finite field in the normal 
basis representation of the coordinate. 

The elliptic curve selected will have the general form 
y 2 +xy=x 3 +ax 2 +b and the parameters of that curve, namely 
the coefficients a and b are stored in a parameter register 30. 
The contents of registers 22, 24, 26, 28, 30 may be trans- 
ferred to the arithmetic unit 20 under control of a C.P.U. 32 
as required. 

The contents of the public key register 26 are also 
available to the communication channel 14 upon a suitable 
request being received. In the simplest implementation, each 
encryption module 16 in a common security zone will 
operate with the same curve and base point so that the 
contents of registers 28 and 30 need not be accessible. If 
further sophistication is required, however, each module 16 
may select its own curve and base point in which case the 
contents of registers 28, 30 have to be accessible to the 
channel 14. 

The module 16 also contains an integer register 34 that 
receives an integer k, the session seed, from the generator 24 
for use in encryption and key exchange. The module 16 has 
a random access memory (RAM) 36 that is used as a 
temporary store as required during computations. 

The encryption of the message M with an encryption key 
kdP derived from the public key dP and session seed integer 
k is performed in an encryption unit 40 which implements a 
selected encryption algorithm. A simple yet effective algo- 
rithm is provided by an XOR function which XOR's the 
message m with the 310 bits of the encryption key kdP. 
Alternative implementations such as the DES encryption 
algorithm could of course be used. 
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An alternative encryption protocol treats the message m 
as pairs of coordinates m lv m 2 , each of 155 bit lengths in the 
case of F 2 J55, and XOR's the message m lt m 2 with the 
coordinates of the session key kdP to provide a pair of bit 
strings (m j0x o ) (m 2 e>0 ). For further security a pair of field 
elements are also formed from the coordinates (xoy 0 ) of 
kdP. 

In one embodiment, the elements are formed from 
the concatenation of part of x 0 with part of y 0 , for example, 

where x 01 is the first half of the bit string of x 0 
Xq 2 is the second half of the bit string of x 0 
y 01 is the first half of the bit string of y 0 
y 02 is the second half of the bit string of y 0 
The first elements z x and Z 2 when treated as field elements 
are then multiplied with respective bit strings (m 1 0x o ) and 
(m 2 0y o ) to provide bit strings c t c 2 of ciphertext c. 
i.e. c^Zi (m^Xo) 
C 2 «z 3 (m 2 ey 0 ) 
In a preferred implementation of the encryption protocol, 
a function of x 0 is used in place of y 0 in the above 
embodiment. For example the function x 0 3 is used as the 
second 155 bit string so that 

c 2 -z 2 (m 2 ®x 0 3 ) 

and 

where x 01 3 is the first half of Xq 3 
Zq 2 3 is the second half of Xq 3 

This protocol is also applicable to implementation of 
elliptic curve encryption in a field other than F 2 «, for 
example Z p or in general F^. 

Where z P is used it may be necessary to adjust the values 
of x 0 and y 0 or x 0 3 to avoid ovcrfow in the multiplication 
with Zj and z^. Conventionally this may be done by setting 
the most significant bit x 0 and Fp>» or y 0 to zero. 

Key Generation, Exchange and Encryption 

In order for the transmitter 10 to send the message M to 
the receiver 12, the receivers public key is retrieved by the 
transmitter 10. The public key is obtained by the receiver 12 
computing the product of the secret key d and base point P 
in the arithmetic unit 20 as will be described more fully 
below. The product dP represents a point on the selected 
curve and serves as the public key. The public key dP is 
stored as two 155 bit data strings in the public key register 
26. 

Upon retrieval of the public key dP by the transmitter 10, 
it is stored in the RAM 36. It will be appreciated that even 
though the base point P is known and publicly available, the 
attributes of the elliptic curve inhibit the extraction of the 
secret key d. 

The transmitter 10 uses the arithmetic unit 20 to compute 
the product of the session seed k and the public key dP and 
stores the result, kdP, in the RAM 36 for use in the 
encryption algorithm. The result kdP is a further point on the 
selected curve, again represented by two 155 bit data strings 
or vectors, and serves as an encryption key. 

The transmitter 10 also computes the product of the 
session seed k with the base point P to provide a new point 
kP, the session public key, which is stored in the RAM 36. 



15 



20 



25 



35 



40 



45 



The transmitter 10 has now the public key dP of the 
receiver 12, a session public key kP and an encryption key 
kdP and may use these to send an encrypted message. The 
transmitter 10 encrypts the message M with the encryption 
key kdPin the encryption unit 40 implementing the selected 
encryption protocols discussed above to provide an 
encrypted message C. The ciphertext C is transmitted 
together with the value kP to the encryption module 16 
associated with receiver 12. 

The receiver 12 utilises the session public key kP with its 
private key d to compute the encryption key kdP in the 
arithmetic unit 20 and then decrypt the ciphertext C in the 
encryption unit 40 to retrieve the message M. 

During this exchange, the secret key d and the session 
seed k remain secret and secure. Although P, kP and dP are 
known, the encryption key kdP cannot be computed due to 
the difficulty in obtaining either d or k. 

The efficacy of the encryption depends upon the efficient 
computation of the values kP, dP and kdP by the arithmetic 
unit 20. Each computation requires the repetitive addition of 
two points on the curve which in turn requires the compu- 
tation of squares and inverses in F 2 «, 

Operation of the Arithmetic Unit 

The operation of the arithmetic unit 20 is shown sche- 
matically in FIG. 3. The unit 20 includes a multiplier 48 
having a pair of cyclic shift registers 42, 44 and an accu- 
mulating register 46. Each of the registers 42, 44, 46 contain 
M cells 50a, 50b . . . 50m, in this example 155, to receive 
the m elements of a normal basis representation of one of the 
coordinates of e.g. x,of P. As fully explained in U.S. Pat. No. 
4,745,568, the cells 50 of registers 42, 44 are connected to 
the corresponding cells 50 of accumulating register 46 such 
a way that a respective grouped term is generated in each 
cell of register 46. The registers 42,44,46 are also directly 
interconnected in a bit wise fashion to allow fast transfers of 
data between the registers. 

The movement of data through the registers is controlled 
by a control register 52 that can execute the instruction set 
shown in the table below: 

TABLE 1 



50 



Operation 



60 



65 



INSTRUCTION SET 



Size 



Clock Cycles 



Field Multiplication 
MULT 

Calculation of Inverse 

INVERSE 

I/O 

WRITE(A f B or C) 
READ(A,B or C) 
Elementary Register 

(idle) 
NOP 

Rota^ejAjBLor^C) 
Copy 
(A <- B) 
(A <- C) 
(A <- B) 
(B <- C) 
SWAP (A <-> B) 
CLEAR (A,B or C) 



155 bit blocks 

24 multiplications 

5-32 bit transfers per 
10 clock cycles 
read/write to registers 

155 bit parallel 
operation 



156 

approx. 3800 
10 

2 clock cycles 
per transfer 
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TABLE 1 -continued 




INSTRUCTION SET 


Operation 


Size Clock Cycles 


SET (A,B or C) 




ADD (A • B) 




ACCUMULATE 





The unit 20 includes an adder 54 to receive data from the 
registers 42,44,46 and RAM 36. The adder 54 is an XOR 
function and its output is a data stream that may be stored in 
RAM 36 or one of the registers 42, 44. Although shown as 
a serial device, it will be appreciated that it may be imple- 
mented as a parallel device to improve computing time, 
similarly the registers 42,44,46 may be parallel loaded. Each 
of the registers 42,44,46, is a 155 bit register and is 
addressed by a 32 bit data bus to allow 32 bit data transfer 
in 2 clock cycles and the entire loading in 5 operations. 

The subroutines used in the computation will now be 
described. 

a) Multiplication 

The cyclic shift of the elements through the registers 42, 
44 ra times with a corresponding shift of the accumulating 
register 46 accumulates successive group terms in respective 
accumulating cells and a complete rotation of the elements 
in the registers 42, 44, produces the elements of the product 
in the accumulating register 46. 

b) Squaring 

By operating in F 2 « and adopting a normal basis repre- 
sentation of the field elements, the multiplier 48 may also 
provide the square of a number by cyclically shifting the 
elements one cell along the registers 42. After a one cell 
shift, the elements in the register represent the square of the 
number. In general, a number may be raised to the power 2 8 
by cyclically shifting g times through a register. 

c) Inversion 

Computation of the inverse of a number can be performed 
efficiently with the multiplier 48 by implementing an algo- 
rithm which utilises multiple squaring operations. The 
inverse X" 1 is represented as X 2 ~ 2 or X 2(z 

If m-1 is considered as theproduct of two factors g,h then 
X" 1 may be written as X 2 < 2 - 1 ) or p 2 *" 1 where p=X 2 . 

The exponent 2**-l is equivalent to 

(2* - l)|g 2*j 
The term 2 8 -\ may be written as 

j-o 
so that 



and is denoted y 
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This term may be computed on multiplier 48 as shown in 
FIG. 4 by initially loading registers 42, with the value X. 
This is shifted 1 cell to represent p (i.e. X 2 ) and the result 
loaded into both registers 42, 44. 
5 Register 44 is then shifted to provide p 2 and the registers 
42, 44 multiplied to provide p 2+J in the accumulating 
register 46. The multiplication is obtained with one motion, 
i.e. a m bit cyclic shift, of each of the registers 42, 44, 46. 

The accumulated term p 1 * 2 is transferred to register 44 
10 and register 42, which contains p 2 is shifted one place to 
provide p 4 . The registers 42, 44 are multiplied to provide 

This procedure is repeated g-2 times to obtain y. As will 
be described below, y can be exponentiated in a similar 
15 manner to obtain 

r Z,,=o i.e. X 1 

20 This term can be expressed as f ******** . . . 2 (m " 1 ^. 

As noted above, y can be exponentiated to the 2 8 by 
shifting the normal basis representation g times in the 
register 42, or 44. 

Accordingly, the registers 42, 44 are each loaded with the 
2 5 value y and the register 42 shifted g times to provide y 2 '. The 
registers 42, 44 are multiplied to provide Y7 2 * or Y 3+2< m l ne 
accumulating register 46. TTiis value is transferred to the 
register 44 and the register 42 shifted g times to^rovide y 2 *. 

The multiplication will then provide y 1 * 2 ** 2 . Repetition 
30 of this procedure (h-l)g-l times produces the inverse of X 
in the accumulating register 46. 

From the above it will be seen that squaring, multiplying, 
and inverting can be effectively performed utilising the finite 
field multiplier 48. 

35 Addition of Point P to Itself (P+P) Using the 

Subroutines 

To compute the value of dP for generation of the public 
key, the arithmetic unit 20 associated with the receiver 12 
4Q initially computes the addition of P+P. As noted in the 
introduction, for a nonsupersingular curve the new point Q 
has coordinates (X 3 ,Y 3 ) where 



50 To compute X 3 , the following steps may be implemented 

as shown in FIG. 5. 

The m bits representing X a are loaded into register 42 

from base point register 28 and shifted one cell to the right 

to provide X a 2 . This value is stored in RAM 36 and the 
55 inverse of X 2 2 computed as described above. 

The value of Xj" 2 is loaded into register 44 and the 

parameter b extracted from the parameter register 30 and 

loaded into register 42. The product bxj~ 2 is computed in the 

accumulating register 46 by rotating the bit vectors and the 
60 resultant value XOR'd in adder 52 with value of X n 2 stored 

in RAM 36 to provide,the normal basis representation of X 3 . 

The result may be stored in RAM 36. 

A similar procedure can be followed to generate Y 3 by 

first inverting X lf multiplying the result by Y, and XORing 
65 with Xj in the adder 52. This is then multiplied by X 3 stored 

in RAM 36 and the result XOR'd with the value of X 3 and 

X 2 to produce Y 3 . 
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The resultant value of (X 3 , Y 3 ) represents the sum of P+P P from register 28. Likewise, because the public key dP is 

and is a new point Q on the curve. This could then be added represented as a point,(x 3 ,y 3 ), the encryption key kdP can be 

to P to produce a new point Q\ This process could be computed in similar fashion. 

repeated d-2 times to generate dP. £ach of ^ operalions wiU take a similar time and can 

The addition of P+Q requires the computation of (X 3 , Y 3 ) 5 be completed prior to the transmission. 



where 



(y\ 
yi = — 



The recipient 12 is similarly required to compute dkP as 

2 he received the ciphertext c which again will take in the 

_Jl) @ — BXl q X2 © a and order of 3xl0~ 2 seconds, well within the time expected for 

©jt 2 *i ©*: a p ract j ca i implementation of an encryption unit. 

— — Ui e^3) ©^3©^i. The public key dP, and the session key kP are each 

®* 2 represented as a 310 bit data string and as such require a 

significantly reduced bandwidth for transmission. At the 

This would be repeated d-2 times with a new value or 0 same time » lne attributes of elliptic curves provides a secure 

at each iteration to compute dP, 15 encryption strategy with a practical implementation due to 

Whilst in principal this is possible with the arithmetic unit the efficacy of the arithmetic unit 20. 
20, in practice the large numbers used make such a proce- 
dure infeasiblc. A more elegant approach is available using Curve Selection 
the binary representation of the integer d. a) The selection of the field F^ 

Computation of dP from 2P 20 The above example has utilised a field of 2 155 and a 

_ ... . . 4 n . _ . non-supersingular curve. The value 155 was chosen in part 

To avoid adding dissimilar points P and Q, the binary , ' 0 t . , , . - . 4 . - _ n 

rcprcsentationofdisusedwitbadoublingmcthodtorcduce ?5 cause aD °P Umal basis ex.sts m F 2 .» over F 2 . 

the number of additions and the complexity of the additions. H ,r evef ' 3 mam cons ' dera jJ on 15 , lhe *™W and ****** 

rj, . , , a of the encryption system. The value 155 is large enough to 

The integer d can be expressed as , ' . - «- ■ , »• A 

to r 25 be secure but small enough for efficient operation. A con- 
sideration of conventional attacks that might be used to 

d - 2 *' 2 '' e ^ break the ciphertext suggests that with elliptic curves over 

'"° F 2 *s a value of m of about 130 provides a very secure system. 

dP = Using one thousand devices in parallel, the time taken to find 

yA,(2'ni,A m ^ + A„. l2 -'P...A32^ + i J 2^ + A 1 2P + A„F » one logarithm is about 1.5x10" seconds or at least 1500 

years using the best known method and the field P 2 iss. Other 
techniques produce longer run times, 
b) Supersingular v. Nonsupersingular Curves 

The values of X are the binary representation of d. A comparison of attacks on data encrypted using elliptic 

Having computed 2P, the value obtained may be added to 35 curves suggests that non-supersingular curves are more 

itself, as described above at FIG. 5 to obtain 2 2 P, which in robust than supersingular curves. For a field F^, an attack 

turn can be added itself to provide 2 P etc. This is repeated bascd on the method suggested by Menezes, Okamoto and 

until 2'P is obtained. Vanstone in an article entitled "Reducing elliptic curve 

At each iteration, the value of 2'P is retained in RAM 36 logarithms to logarithms in finite field" published in the 

for use in subsequent additions to obtain dp. 40 p rocee ding 22 Annual ACM Symposium Theory Computing 

The arithmetic unit 20 performs a further set of additions 1991j pp S0S9, (The MOV attack) shows that for small 

for dissimilar points for those terms where X is 1 to provide values of k? the attack becomes subexponential. Most 

the resultant value of the point (x 3 ,y 3 ) representing dP. supersingular curves have small values of k associated with 

If for example k=5, this can be computed as 2 P+P or lhcm In gcncral however, non-supcrsingular curves have 

2P+2P+P or Q+Q+P . Therefore the result can be .obtained m 45 { yalues of k and idcd k>[ 2 thcn the M0V attack 

3 additions; 2P^ le&s effi J nt than more conventionaI general 

and R+P takes 1 addition. At most t doublings and t attacks 

subsequent additions are required depending on how many m , . 

^ are j The use of a supersingular curve is attractive since the 

doubling of a point (i.e. the case where P-Q) does not 

Performance of Arithmetic Units 20 50 require any real time inversions in the underlying field. For 

For computations in a Galois field F 2 i5 5 it has been found a supersingular curve, the coordinates of 2P are 

that computing the inverse takes approximately 3800 clock 

cycles. _x\®b 2 (jc?©M 

The doubling of a point, i.e. the addition of point to itself, * 3 ~ Md >3 = \~) {Xl ^ Xi)Byi ea - 

takes in the order of 4500 clock cycles and for a practical 55 

implementation of a private key, the computation of the „, . , , _ 2 . „ 

public key dP may be computed in the order of 1.5xl0 5 Since a is a constant, a' 1 and a" is fixed for a given curve 

clock cycles. With a clock rate typically in the order of 40 and can * Recomputed. The values of x, and x, can be 

mHz, the computation of dP will take in the order of 3xl0" 2 computed with a single and double cyclic shift respectively 

seconds. This throughput can be enhanced by bounding the 60 ° n the multiplier 48. However, the subsequent addition of 

seed key k with a Hamming weight of, for example, 20 and dissimilar points to provide the value of dP still requires the 

thereby limit the number of additions of dissimilar points. computation of an inverse as 
Computation of Session Public Key kP and 



n 01 session ruonc jvey ki* anu (yi®y2 \ 2 

Encryption Key kdP 65 = (^5^) er ' ®* 2 



The session public key kP can similarly be computed with 
the arithmetic unit 20 of transmitter 10 using the base point 
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Accordingly, although supersingular curves lead to efE- 
cient implementations, there is a relatively small set of 
supersingular curves from which to choose, particularly if 
the encryption is to be robust. For a supersingular curve 10 
where m is odd, there are 3 classes of curve that can be 
considered further, namely 

j^+y-x 3 

y 2 +y=x 3 +X 15 
y 2 +y«X 3 +X+l 

However, a consideration of these curves for the case 
where m=155 shows that none provide the necessary robust- 
ness from attack. 

Enhanced security for supersingular curves can be 20 
obtained by employing quadratic extensions of the under- 
lying field. In fact, in F^ where q=2 320 , i.e. a quadratic 
extension of F 2 i", amongst the supersingular curves, there 
are four which under the MOV attack require computation 
of discrete logs in F 2 *». These curves provide the requisite 
high security and also exhibit a high throughput. Similarly, 
in other extensions of sub fields of F«s (e.g. F 2 ai) other curves 
exist that exhibit the requisite robustness. However, their use 
increases the digits that define a point and hence the band- 30 
width when they are transmitted. 

By contrast, the number of nonsupcrsingular curves of 
F^,q=2 :i55 , is 2(2 155 -1). By selecting q«2 i.e. a field F 2 «, the 
value of a in the representation of the curve, y 2 +xy=x 3 + 
ax 2 +b, can be chosen to be cither 1 or 0 without loss of 35 
generality. This large choice of curves permits large numbers 
of curves over this field to be found for which the order of 
a curve is divisible by a large prime factor. In general, 
determining the order of an arbitrary nonsupersingular curve 
over F^ is not trivial and one approach is explained further 40 
in a paper entitled "Counting Points on Elliptic Curves" by 
Menezes, Vanstone and Zuccherato, Mathematics of Com- 
putation 1992. 

In general however, the selection of suitable curves is well 
known in the art, as exemplified in "Application of Finite 45 
Fields", chapters 7 and 8, by Menezes, Blake et al, Kluwer 
Academic Publishers (ISBN 0-7923-9282-5). Because of the 
large numbers of such curves that meet the requirements, the 
use of nonsupersingular curves is preferred despite the 
added computations. 50 

An alternative approach that reduces the number of inver- 
sions when using nonsupersingular curves is to employ 
homogeneous coordinates. A point P is defined by the 
coordinates (x,y,/,) and Q by the point (x 2 ,y 2 ,\^) 

The point (0, 1, 0) represents the identity O in E. 55 

To derive the addition formulas for the elliptic curve with 
this representation, we take points P ts ( x i>Yi» z i) an d Q=( x 2» 
y^zj, normalize each to (Xj/Zj, yj/z^ 1), (Xj/z a , Vj/z^ 1), 
and apply the previous addition formulas. If P«(x 1 ,y J ,z 1 ), 
Q ss (x 2 ,y2» z 2)» P>Q*0, and P*-Q then ?+Q=(x 3 ,y 3 , z 3 ) where ™ 
if P*Q, then 

x 3 =AD 

y 3 =CD+A 2 (Bx 1 +Ay 1 ) 

z 3 =A 3 z J z 2 65 
where A" , x 2 z 1 +x 1 z 2 , B«y 2 z J +y i z 2 , C=A30B and D=A 2 (A+ 
az^+z^BC. 
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In the case of P=Q, then 
x 3 =AB 

y 3 =x/A+B(x 1 2 +y 1 z 1 +A) 
z 3 =A 3 

where A-XjZj and B^bz^+x/. 

It will be noted that the computation of x 3 y 3 and z 3 does 
not require any inversion. However, to derive the coordi- 
nates x 3 m , y 3 m in a nonhomogeneous representation, it is 
necessary to normalize the representation so that 

This operation requires an inversion that utilizes the 
procedure noted above. However, only one inversion opera- 
tion is required for the computation of dP. 

Using homogeneous coordinates, it is still possible to 
compute dP using the version of the double and add method 
described above. The computing action of P+Q , P*Q, 
requires 13 field multiplications, and 2P requires 7 multi- 
plications. 

Alternative Key Transfer 

In the example above, the coordinates of the keys kPkdP 
are each transferred as two 155 bit field elements for F 2 iss. 
To reduce the bandwidth further it is possible to transmit 
only one of the co-ordinates and compute the other coordi- 
nate at the receiver. An identifier, for example a single bit of 
the correct value of the other coordinate, may also be 
transmitted. This permits the possibilities for the second 
coordinate to be computed by the recipient and the correct 
one identified from the identifier. 

Referring therefore to FIG. 1, the transmitter 10 initially 
retrieves as the public key dP of the receiver 12, a bit string 
representing the coordinate x 0 and a single bit of the 
coordinate y 0 . 

The transmitter 10 has the parameters of the curve in 
register 30 and therefore may use the coordinate x 0 and the 
curve parameters to obtain possible values of the other 
coordinate y 0 from the arithmetic unit 20. 

For a curve of the form y 2 +xy=x 3 +ax 2 +b and a coordinate 
x 0 , then the possible values y x ,y 2 for Yo are tne roots °f lnc 
quadratic y 2 +x 0 y=>x 0 3 +ax 0 2 +b. 

By solving for y, in the arithmetic unit 20 two possible 
roots will be obtained and comparison with the transmitted 
bit of information will indicate which of the values is the 
appropriate value of y. 

The two possible values of the second coordinate (y 0 ) 
differ by Xq, i.e. yj-ya+Xo- 

Since the two values of y 0 differ by Xq, then y x and y 2 will 
always differ where a "1" occurs in the representation of Xq, 
Accordingly the additional bit transmitted is selected from 
one of those positions and examination of the corresponding 
bit of values of y 0 , will indicate which of the two roots is the 
appropriate value. 

The receiver 10 thus can generate the coordinates of the 
public key dP even though only 156 bits are retrieved. 

Similar efficiencies may be realized in transmitting the 
session key kP to the receiver 12 as the transmitter 10s need 
only forward one coordinate, x 0 and the selected identifying 
bit of y 0 . The receiver 12 may then reconstruct the possible 
values of y 0 and select the appropriate one. 

In the field F 2 «. it is not possible to solve for y using the 
quadratic formula as 2 a=0. Accordingly, other techniques 
need to be utilised and the arithmetic unit 20 is particularly 
adapted to perform this efficiently. 
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In general provided Xq is not zero, if y=x 0 z then x 0 2 z 2 + 
x 0 2 z»x 3 0 +ax 0 2 +b. 
This may be written as 

r + z = Jfo + a + 3 = 

i.e. z 2 +z=c. 
If m is odd then either 

« = e + <: 4 +*'«... + + 

2 0 2 i 2 4 2* yn-J 

= tr + <r + + . . . +■ c L + c r 

or z=l+c 2< + . . . +C 2 " 1 to provide two possible values for 

y 0 - 

A similar solution exists for the case where m is even that 
also utilises terms of the form c 2 *. 

This is particularly suitable for use with a normal basis 
representation in F^. 

As noted above, raising a field element in F 2 * to a power 
g can be achieved by a g fold cyclic shift where the field 
element is represented as a normal basis. 

Accordingly, each value of z can be computed by shifting 
and adding and the values of y 0 obtained. The correct one of 
the values is determined by the additional bit transmitted. 

The use of a normal basis representation in F 2 « therefore 
simplifies the protocol used to recover the coordinate y 0 . 

If P=(xq y 0 ) is a point on the elliptic curve E:y 2 +xy=x 3 + 
ax 2 +b defined over a field F 2 «, then y 0 is defined to be 0 if 
x 0 =0; if Xq^O then y 0 is defined to be the least significant bit 
of the field element y 0 'X 0 _1 . 

The x-coordinate x 0 of P and the bit y 0 are transmitted 
between the transmitter 10 and receiver 12. Then the y 
coordinate y 0 can be recovered as follows. 

1. If Xq«0 then y 0 is obtained by cyclically shifting the 
vector representation of the field element b that is 
stored in parameter register 30 one position to the left. 
That is, if 

b=b m _ 1 b m _ 2 - . . bibp 

then y 0 =b m _ 2 . . . b J b 0 b m _ 1 

2, If x 0 *0 then do the following: 

2.1 Compute the field element c=x 0 +a+bxg~ 2 in F 2 m . 

2.2 Let the vector representation of c be c=c m-1 c m _ 2 . 

* ■ CjCq. 

2.3 Construct a Geld element z=z m _ a z, rt _ 2 . . . ZjZq by 
setting 

zo = y 0 . 

Zl - C 0 ©So, 
Z2 =Cl ©Zl, 



Z m _ 2 =C m _ 3 ©Z m _ 3 , 
- Cm- 2 ®Zm-2- 



2.4 Finally, compute y 0 »Xo*z. 
It will be noted that the computation of Xq~ : can be readily 
computed in the arithmetic unit 20 as described above and 
that the computation of y 0 can be obtained from the multi- 
plier 48. 
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In the above examples, the identification of the appropri- 
ate value of y 0 has been obtained by transmission of a single 
bit and a comparison of the values of the roots obtained. 
However, other indicators may be used to identify the 

5 appropriate one of the values and the operation is not 
restricted to encryption with elliptic curves in the field 
GF(2 f "). For example, if the field is selected as Zp p«3(mod 
4) then the Legendre symbol associated with the appropriate 
value could be transmitted to designate the appropriate 

1Q value. Alternatively, the set of elements in Zp could be 
subdivided into a pair of subsets with the property that if y 
is in one subset, then -y is in the other, provided y*0. An 
arbitrary value can then be assigned to respective subsets 
and transmitted with the coordinate x 0 to indicate in which 
subset the appropriate value of y 0 is located. Accordingly,- 

]S the appropriate value of y 0 can be determined. Conveniently, 
it is possible to take an appropriate representation in which 
the subsets are arranged as intervals to facilitate the identi- 
fication of the appropriate value of y 0 . 
These techniques are particularly suitable for encryption 

20 utilizing elliptic curves but may also be used with any 
algebraic curves and have applications in other fields such as 
error correcting coding where coordinates of points on 
curves have to be transferred. 

It will be seen therefore that by utilising an elliptic curve 

25 lying in the finite field GF 2 m and utilising a normal basis 
representation, the computations necessary for encryption 
with elliptic curves may be efficiently performed. Such 
operations may be implemented in either software or hard- 
ware and the structuring of the computations makes the use 

30 of a finite field multiplier implemented in hardware particu- 
larly efficient. 
I claim: 

1. In a data encryption system in which the data is 
combined with an encryption key to produce ciphertext, a 
35 method of generating a key comprising the steps of 

a) selecting an elliptic curve of the form y 2 +xy=x 3 +ax 2 +b 
lying in the finite field GF2 m , said field being selected 
to have elements A 2 (o^i^m) that constitute a normal 
basis, 

40 b) representing the coordinates of a point on said curve as 
a set of vectors, each vector representing a coordinate 
of said point and having m binarv digits, each of which 
represents the coefficient of A 2 in the normal basis 
representation of said vector, 
45 c) computing from addition of at least two sets of vectors 
an additional set of vectors to represent the coordinates 
of further point on said curve, and 
d) utilising said additional set of vectors to derive a key 
for encrypting data, 
so 2. A method according to claim 1 wherein addition of sets 
of vectors involves at lest one squaring operation. 

3. A method according to claim 2 wherein said squaring 
operation is performed on at least one of said vectors of one 
of said sets representing a point. 
55 4. A method according to claim 3 wherein said squaring 
operation is performed on combinations of vectors from a 
plurality of said sets representing respective points. 

5. A method according to claim 3 wherein each of said 
vectors is represented as m binary digits and squaring 

60 thereof is performed by a cyclic shift of said m binary digits. 

6. A method according to claim 5 wherein said m binary 
digits are stored in respective cells of a shift register and 
squaring thereof is performed by a cyclic shift of said m bits 
in said register. 

65 7. A method according to claim 1 wherein addition of sets 
of vectors involves the computation of at least one inverse 
of a vector. 
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8. A method according to claim 7 wherein said inversion 
utilises multiple squaring operations. 

9. A method according to claim 8 wherein squaring 
operations are performed by a cyclic shift of binary digits. 

10. A method according to claim 7 wherein computation 5 
of said inverse includes an exponentiation of the square of 
the vector to provide a value y of the form 

10 

where p is the square of the vector and g is a factor of m-1. 

11. A method according to claim 10 wherein successive 
terms of said exponentiation are obtained by successive 
cyclic shifts of the vector. 

12. A method according to claim 11 wherein the value of 
the y is accumulated after each cyclic shift by multiplication 
of the shifted term with the previously accumulated value of 
Y- 

13. A method according to claim 10 wherein m binary 20 
digits representing p are stored in each of a pair of shift 
registers, one of said pair of registers being cyclically shifted 
and said pair of registers being multiplied to provide an 
intermediate value of y. 

c 25 

14. A method according to claim 13 wherein said one of 
said pair of registers is further cyclically shifted to provide 
a further successive term of said expansion and said further 
successive term multiplied with said intermediate value to 
provide a further intermediate value of y. 30 

15. A method according to claim 14 wherein said cyclic 
shifting and multiplication is performed g-2 times to com- 
plete said exponentiation of p and provide a value of y. 

16. A method according to claim 10 where computation of ^ 
said inverse includes a further exponentiation of y of the 
form 

40 

where h is a factor of m-1 such that gh=m-l, 

17. A method according to claim 16 wherein successive 
terms said further exponentiation are obtained by successive 
cyclic shifts of the m binary digits representing y. 

18. A method according to claim 17 wherein the value of 45 
said inverse is accumulated after each cyclic shift by mul- 
tiplication of the shifted term with the previously accumu- 
lated value of y. 

19. A method according to claim 16 wherein m binary 
digits representing y are stored in each of a pair of shift 50 
registers, one of said pair of registers being cyclically shifted 
and said pair of registers being multiplied together to 
provide an intermediate value of said inverse. 

20. A method according to claim 19 wherein said one of 55 
said pair of registers is further cyclically shifted to provide 

a further successive term of said expansion which is then 
multiplied with said intermediate value of said inverse to 
provide a further intermediate value thereof. 

21. A method according to claim 20 wherein said cyclic 60 
shifting and multiplication is performed (h-l)g-l times to 
complete exponentiation of y. 

22. A method according to claim 11 wherein said further 
point on said curve is an integer multiple d of said point P 
and said value dP is computed by successively doubling 65 
multiples of P to provide terms 2'P from l«o to t=m, and 
computing 



20 

f=*0 

where X is the coefficient of the binary representation of d. 

23. A method according to claim 22 wherein doubling of 
multiples of p is obtained by computing 

and 

where x 1 y i are the coordinates of the point 2'" 1 and x 3 y 3 are 
the coordinates of the point 2'p. 

24. A method according to claim 23 wherein computation 
of the term x a 2 is obtained by a cyclic shift of binary digits 
representing x a in a normal basis. 

25. A method according to claim 24 wherein computation 
of the inverse of x 3 2 is computed by an exponentiation of x, 2 
to provide a value y of the form 

pi*2*22 2 ,-l 

where p^ 2 and g is a factor of m-1. 

26. A method according to claim 25 wherein successive 
terms of said exponentiation are obtained by successive 
cyclic shifts of the binary digits representing x 2 2 in a normal 
basis. 

27. A method according to claim 26 wherein computation 
of the inverse of x/ includes a further exponentiation of y 
of the form 

Y21+2 x +2 2 * . . . 2< A -°* 

where h is a factor of m-1 such that gh«m-l. 

28. A method according to claim 27 wherein successive 
terms said further exponentiation are obtained by successive 
cyclic shifts of the m binary digits representing y. 

29. A method of transferring the coordinates of a point on 
an algebraic curve defined by a function of two variables 
between a pair of correspondents connected by a data 
communications link comprising the steps of forwarding 
from one correspondent to another a coordinate of said 
point, providing at said other correspondent parameters of 
said algebraic curve, and computing at said other correspon- 
dent said other coordinate from said one coordinate and said 
algebraic curve. 

30. A method according to claim 29 including the step of 
forwarding with said one coordinate identifying information 
of said other coordinate and utilising said identifying infor- 
mation and a discriminating function to determine the appro- 
priate value of said other coordinate. 

31. A method according to claim 30 wherein said identi- 
fying information is a digital bit of said other coordinate that 
identifies the appropriate value of said other coordinate. 

32. A method according to claim 30 wherein said alge- 
braic curve is an elliptic curve of the form y 2 +xy=x 3 +ax 2 +b 
and said other coordinate is determined by solving a qua- 
dratic equation to provide two possible values of said other 
coordinate, said identifying information indicating the 
appropriate one of said values. 

33. A method according to claim 32 wherein said identi- 
fying information is a digital bit of said other coordinate that 
identifies the appropriate value of said other coordinate. 
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34. A method according to claim 30 wherein said alge- 
braic curve is defined over the field Zp and said identifying 
information indicates the Legendre symbol of the appropri- 
ate value. 

35. A method according to claim 30 wherein said curve is 
defined over the field zp and the elements thereof subdivided 
into a pair of subsets, one of which contains one possible 
value and the other of which contains the other possible 
value, said indicating information identifying the subset 
containing the appropriate value. 

36. A method according to claim 29 wherein said alge- 
braic curve is an elliptic curve of the form y 2 +xy«x 3 +ax+b 
defined over a finite field F 2 m . 

37. A method according to claim 36 including the step of 
forwarding with said one coordinate identifying information 
of said other coordinate and utilising said identifying infor- 
mation and a discriminating function to determine the appro- 
priate value of said other coordinate. 

38. A method according to claim 37 wherein said field 
GF2 m has field elements A 2 that constitute a normal basis. 

39. A method according to claim 38 wherein said other 
coordinate is determined by solving a quadratic equation to 
provide two possible values of said other coordinate, said 
identifying information indicating the appropriate one of 
said values. 

40. A method according to claim 38 wherein said qua- 
dratic equation is solved by summing terms of the form c 
from g=0 to g=m-l where 

b 

c = X Q +a+ — 

and Xq is said one coordinate. 

41. A method according to claim 40 wherein terms of the 
form c are obtained by g fold cyclic shifts of the normal basis 
representation of c. 

42. A method of encrypting a message m using a public 
key cryptographic system and having a private key formed 
from a bit string representative of a coordinate (x, y) of a 
point p on an elliptic curve, said method comprising the 
steps of representing said message m as a pair of message bit 
strings m,m 2 of length corresponding to the bit strings 
representing the coordinates x,y, and combining said mes- 
sage bit strings with an enciphering bit string derived from 
at least one of said coordinates to generate a ciphertext c of 
said message. 

43. A method according to claim 42 wherein said enci- 
phering bit strings are derived from each of said coordinates 
to produce ciphertext c. 

44. A method according to claim 42 wherein said message 
bit strings are combined with enciphering bit strings derived 
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from one of said coordinates and a function thereof to 
produce said ciphertext. 

45. A method according to claim 43 wherein said enci- 
phering bit string is derived from said coordinate x and the 

5 cube x 3 thereof. 

46. A method according to claim 42 wherein field ele- 
ments z are derived from at least one of said coordinates and 
modify the combination of said message bit strings and said 
enciphering bit string. 

30 47. A method according to claim 46 wherein said cipher- 
text c is of the form (CjCj where 

c^z^mjCBf^Xo)) and 
c 2 +z 2 (m 1 ©f 2 (x 0 )); 

35 fi( x o)^2( x ) are respective first and second values derived 
from the coordinate x and z 3 and Z2 are respective field 
elements derived from the coordinate x. 
48. A method according to claim 47 wherein f 2 (x) is said 
second coordinate y. 
20 49. A method according to claim 47 wherein f 2 (x) is the 
cube of the value of the coordinate x. 

50. A method according to claim 47 wherein said field 
elements z are formed by concatenating part of each of said 
values fjCx), f 2 (x). 
25 51. A method according to claim 50 wherein f 2 (x) is 
derived from the cube of the value of the coordinate x. 
52. A method according to claim 47 wherein 

30 

and 

c 2 =z 2 (m 2 ©x 0 3 ) 

35 and 

Zi=x 01 ||x 2 3 

and 

40 

Z2-X 2 ||Xi 3 

where xjx 2 3 is the counterclaim of the first half of the 
representation of the coordinate x and the second half of the 
45 cancellation of the representation of x 3 and xjlx^ is the 
concatenation of the second half of the representation of the 
coordinate x with the first half of the representation of the 
X 3 . 

***** 
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